@echo off
mkdir C:\ProgramData\quzheng
net user >>C:\ProgramData\quzheng\user.txt
tasklist>>C:\ProgramData\quzheng\tasklist.txt
netstat -ano>>C:\ProgramData\quzheng\port.txt
SCHTASKS>>C:\ProgramData\quzheng\renwujihua.txt
sc query>>C:\ProgramData\quzheng\sercives.txt
dir /s /b >> C:\ProgramData\quzheng\dirs.txt
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run  /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices /s >>C:\ProgramData\quzheng\reg.txt
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /s >>C:\ProgramData\quzheng\reg.txt
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run /s>>C:\ProgramData\quzheng\reg.txt
reg query HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run  /s >>C:\ProgramData\quzheng\reg.txt
wevtutil epl System C:\ProgramData\quzheng\system.evtx
wevtutil epl Application C:\ProgramData\quzheng\Application.evtx
wevtutil epl Security  C:\ProgramData\quzheng\Security.evtx
wevtutil epl Windows PowerShell C:\ProgramData\quzheng\powershell.evtx
wevtutil epl Microsoft-Windows-WMI-Activity/Operational C:\ProgramData\quzheng\WMI.evtx